Main navigation

#MobSec5 mobile security news for the week of Feb. 13

Welcome to your RSA Conference 2017 edition of #MobSec5. This year’s conference included a slew of mobile security talks as part of the Mobile & IoT Security track. You’ll find a list of those talks, along with recordings and slides, on the RSA Conference website.

During his RSA Conference 2017 talk “Delivering Secure, Client-Side Technology to Billions of Users,” Director of Android Security Adrian Ludwig discussed Google efforts to secure the Android platform. You can review Ludwig’s slides here. One slide, titled “Actual protection vs. newsworthy exploits,” compares three Android vulnerabilities that made headlines and any known exploits in the wild:

Master Key vulnerability

99 percent of devices vulnerable

No known exploits prior to public disclosure

Less than eight devices per million exploited post-disclosure

FakeID vulnerability

82 percent of Android users impacted

No known exploits prior to public disclosure

Less than one device per million exploited post-disclosure

Stagefright vulnerability

95 percent of devices vulnerable

No confirmed exploits pre- or post-disclosure

It’s fortunate that, as far as Google knows anyway, these Android vulnerabilities have not been exploited on a large scale. As NowSecure CEO Andrew Hoog warned during his own talk (save your seat for an encore webinar presentation next Tuesday), however, history will likely repeat itself — the fundamental ingredients for large scale mobile attacks and compromises exist. Remember that for years Microsoft Windows avoided major security incidents or wide-scale infections — that is until the ILOVEYOU worm in 2000. Predators follow their prey — more people are using more mobile devices more frequently for more sensitive transactions. The fact is millions of Android devices remain vulnerable to the very serious Stagefright bug (maybe even the personal device President Trump is rumored to be using), regardless of whether there’s evidence of attackers exploiting the vulnerability.

“Trump took a phone call about North Korea’s missile test in full view of Mar-a-Lago guests, and the nuclear football made a Facebook cameo.”

Last Saturday evening, North Korea launched a ballistic missile. On the other side of the globe at the Mar-a-Lago club in Florida, President Trump dined with Japanese Prime Minister Shinzo Abe. Suddenly, the terrace became a flurry of activity as the two world leaders conferred over documents ablaze with the shine of a smartphone flashlight. As the Washington Post reports, “Phones — especially phones with their flashes turned on for improved visibility — are portable television satellite trucks and, if compromised, can be used to get a great deal of information about what’s happening nearby.” Press secretary Sean Spicer has said that only press conference logistics, nothing classified, were discussed during dinner and the president was briefed about the missile launch in a secure area. It’s still unclear whether President Trump uses a Secret Service-approved, secured smartphone, or an old, off-the-shelf Android device, or both. Two senators have asked for written confirmation by March 9 that Trump has a secured device in his possession and is using it, or if not, what device he is using.

“If I gave you my phone right you’d be able to figure out a lot of stuff about me. If I didn’t unlock it you’d see some of the news I read, the apps I use, and even some of the messages I’ve gotten from my friends.”

“The enterprise privacy app, designed to separate personal and business information, is open to attacks putting corporate data at risk.”

The researchers were scheduled to present their findings Friday morning at RSA Conference during their talk “Mobile Containers—The Good, the Bad and the Ugly.” Slides and potentially a recording of the talk are likely to be published on the RSA Conference 2017 website.

“The discovery of NSO’s spyware on the phones of Mexican nutrition policy makers, activists and even government employees raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.”

“A team of Dutch researchers has found a technique that undermines that so-called address space layout randomization, creating the You Are Here arrow that hackers need to orient themselves inside a stranger’s computer. That means any of the common memory corruption bugs found in software applications on a daily basis could lead to a much deeper takeover of a target PC or smartphone.”

“The Trump administration has held off on issuing an executive order on how it wants to federal agencies to enforce cyber-security.”

There’s still no official word on President Trump’s executive order on cybersecurity, though two documents said to be drafts of the order have been published. We told you what we thought about the original draft on the NowSecure blog. Late last week, the Lawfare Blog published what they claim to be a revised version. USA Today reported that some people expected the president to release the order during RSA Conference 2017. Congressman Bennie Thompson told Politico this week, “I now understand that it’s several drafts later. I heard today that [the finished version] could come out anytime between now and when the president speaks to Congress.” Trump plans to address Congress on Tuesday, February 28.

“Verizon Communications Inc. is close to a renegotiated deal for Yahoo! Inc.’s internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches at the web company, according to people familiar with the matter.”

“Corporate IT pros face the unenviable task of trying to protect valuable data from threats that change all the time. One vector of attack is clearly smartphones and tablets that employees use both for work and pleasure.”

“A few months ago I wrote about how you can encrypt your entire life in less than an hour. Well, all the security in the world can’t save you if someone has physical possession of your phone or laptop.”

“A security vulnerability in Windows 10 Mobile allows anyone to bypass the security code and access the photo gallery on a device running either production or preview builds shipped as part of the Windows Insider program.”

“You were sort of taking Google at its word as a user that Verify Apps was indeed rummaging around to keep tabs on things. Now you can see some of what it’s doing—the settings menu now shows which apps have recently been scanned.”